When conducting a security risk assessment, it is important to document some of the key findings as evidence to support the risk register and proposed treatments.
Some of the findings may not be significant enough to warrant a risk statement or treatment, yet may still be worth noting as a finding and perhaps including a recommendation to address the issue.
Findings
During the course of security risk assessments, you may discover additional material worthy of comment. You might, for example, find a vulnerability in terms of a router being incorrectly configured. This in itself isn’t a risk per se, but needs to be recorded. Equally an electronic access control system which gives everyone 24-hour access and doesn’t use time or zone controls is a weakness even if it isn’t specifically a risk.
The 4C model is helpful for recording audit findings or observations during a security risk assessment. It can also be used to analyze the quality of existing report findings.
Condition. What condition was observed?
Criteria. What should have been observed? What audit or best practice criteria were relevant?
Cause. What are the immediate and underlying root causes of the condition
Consequence. What is the actual or potential impact on objectives or resources/assets?
EXAMPLE:The review noted that 6 out of 10 servers are not running the current software version (CONDITION) despite the organizational security plan which mandated that servers be updated within 7 days of stable software upgrades (CRITERIA). Known vulnerabilities in the old software versions may enable third-parties to access commercially sensitive data (CONSEQUENCE). The (immediate) cause is lack of resources in the security team due to
delays in recruiting the additional three personnel (root CAUSE) funded in the security plan.
Recommendations
Recommendations should:
Address the cause and diminish the effect for the matter noted
Stand alone (i.e. Still make sense when read in isolation)
Start with an action word (eg:“Replace...” not “Consider replacing...”)
Be doable
Add valueNote: Keep the number of recommendations to minimum–unnecessary recommendations damage credibility and dilute impact.
Recommendations should also be SMART:
Specific
Measurable
Actionable
Realistic
Time-bound